Mailinglist Archive: opensuse-support (220 mails)

< Previous Next >
Re: [opensuse-support] 2FA for crypted disk


W dniu 22.01.2019 o 09:07, Wolfgang Rosenauer pisze:
Hi,

Am 22.01.19 um 08:45 schrieb Adam Mizerski:
1) There was a similar thread, you might find interesting:
https://lists.opensuse.org/archive/opensuse/2018-12/msg00127.html

thanks for the pointer. I missed that.

2) Show a link to the howto you found.

https://github.com/cornelinux/yubikey-luks
https://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authentifizierung-unter-linux-nutzen-1507-115155-2.html
(german, pretty much a translation from teh github README)

This looks quite good (it uses yubikey to mangle given password). The
problem I see it that openSUSE uses mkinitrd/dracut to create initrd,
which works differently than debian/ubuntu. Somebody with experience in
this field should hop in here.

3) LUKS has 8 slots for various keys to unlock the partition. You can
set up 3 passwords and 2 keyfiles and you need at least one to unlock
(https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Key_management).
This should keep you safe from loosing access to your data.

That around the lines I found already. But for me this stops pretty
immediately when trying to check prerequisites.

# cryptsetup status /dev/mapper/cr_home
/dev/mapper/cr_home is active and is in use.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
key location: dm-crypt
device: /dev/nvme0n1p7
sector size: 512
offset: 4096 sectors
size: 888360960 sectors
mode: read/write

but
# cryptsetup luksDump /dev/mapper/cr_home
Device /dev/mapper/cr_home is not a valid LUKS device.

So I'm not even sure I can continue to add keys.

The encrypted FS is what YaST created when I installed Tumbleweed
roughly a year ago.
Is it usable at all?

Try:
cryptsetup luksDump /dev/nvme0n1p7


Seems I need a virtual playground first before trying to fiddle with my
real hardware and break something.


Oh yes. Playing virtual machines is always fun! You can make snapshots
and rollback if something breaks.


Wolfgang

W dniu 21.01.2019 o 23:26, Wolfgang Rosenauer pisze:

as I understand from searching around it should be possible to do something
like
2FA for crypto devices (LUKS). Or at least some challenge response.

I've got a Yubikey and I found an Ubuntu howto. Because this is a bit of a
risky
implementation when my crypted home partition is not accessible anymore I'm
a
bit hesitant to experiment like I do typically.

Therefore: Does anyone have a pointer to an HOWTO which works for openSUSE
Tumbleweed?


Thanks,
Wolfgang




< Previous Next >